CVSS: 4.3EPSS: 0%CPEs: 11EXPL: 2CVE-2008-3824 – Horde Application Framework 3.2.1 - Forward Slash Insufficient Filtering Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2008-3824
Cross-site scripting (XSS) vulnerability in (1) Text_Filter/Filter/xss.php in Horde 3.1.x before 3.1.9 and 3.2.x before 3.2.2 and (2) externalinput.php in Popoon r22196 and earlier allows remote attackers to inject arbitrary web script or HTML by using / (slash) characters as replacements for spaces in an HTML e-mail message. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en (1) el módulo Text_Filter/Filter/xss.php de Horde versiones 3.1.x anteriores a 3.1.9 y versiones 3.2.x anteriores a 3.2.2 y en (2) el módulo externalinput.php de Popoon versión r22196 y anteriores permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elección al reemplazar caracteres / (barra) por los espacios en blanco en un mensaje de correo electrónico en formato HTML. • https://www.exploit-db.com/exploits/32353 http://blog.liip.ch/missed-case-in-externalinput-php-resulting-in-viable-xss-attacks.html http://marc.info/?l=horde-announce&m=122103888111491&w=2 http://marc.info/?l=horde-announce&m=122104360019867&w=2 http://ocert.org/patches/2008-012/Text_Filter.31.patch http://ocert.org/patches/2008-012/Text_Filter.patch http://osvdb.org/47996 http://secunia.com/advisories/31842 http://securityreason.com/securityalert/4245 http://www. • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 2CVE-2008-3823 – Horde 3.2 - MIME Attachment Filename Insufficient Filtering Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2008-3823
Cross-site scripting (XSS) vulnerability in MIME/MIME/Contents.php in the MIME library in Horde 3.2.x before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via the filename of a MIME attachment in an e-mail message. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en el módulo MIME/MIME/Contents.php de la biblioteca MIME de Horde 3.2.x anterior a 3.2.2 permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elección utilizando el nombre del fichero adjunto en el mensaje MIME. • https://www.exploit-db.com/exploits/32354 http://marc.info/?l=horde-announce&m=122104360019867&w=2 http://ocert.org/patches/2008-012/MIME.patch http://secunia.com/advisories/31842 http://secunia.com/advisories/31959 http://securityreason.com/securityalert/4245 http://www.debian.org/security/2008/dsa-1642 http://www.ocert.org/advisories/ocert-2008-012.html http://www.openwall.com/lists/oss-security/2008/09/10/1 http://www.securityfocus.com/archive/1/496182/100/ • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 1%CPEs: 24EXPL: 1CVE-2007-1474 – Horde Framework and IMP 2.x/3.x - Cleanup Cron Script Arbitrary File Deletion
https://notcve.org/view.php?id=CVE-2007-1474
Argument injection vulnerability in the cleanup cron script in Horde Project Horde and IMP before Horde Application Framework 3.1.4 allows local users to delete arbitrary files and possibly gain privileges via multiple space-delimited pathnames. Vulnerabilidad de inyección de argumento en la secuencia de comandos cleanup para cron de Horde Project Horde e IMP anterior a Horde Application Framework 3.1.4 permite a usuarios locales borrar archivos de su elección y posiblemente obtener privilegios mediante múltiples nombres de ruta separados por espacios. • https://www.exploit-db.com/exploits/29746 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=489 http://lists.horde.org/archives/announce/2007/000315.html http://secunia.com/advisories/27565 http://www.debian.org/security/2007/dsa-1406 http://www.securityfocus.com/bid/22985 http://www.securitytracker.com/id?1017784 http://www.securitytracker.com/id?1017785 http://www.vupen.com/english/advisories/2007/0965 https://exchange.xforce.ibmcloud.com/vulnerabilities/32997 •
CVSS: 4.3EPSS: 0%CPEs: 38EXPL: 0CVE-2006-4255
https://notcve.org/view.php?id=CVE-2006-4255
Cross-site scripting (XSS) vulnerability in horde/imp/search.php in Horde IMP H3 before 4.1.3 allows remote attackers to include arbitrary web script or HTML via multiple unspecified vectors related to folder names, as injected into the vfolder_label form field in the IMP search screen. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en horde/imp/search.php en Horde IMP H3 anterior a 4.1.3 permite a atacanets remotos incluir secuencias de comandos web o HTML de su elección a través de múltiples vectores no especificados relacionados con nombres de carpetas, como se ha inyectado en el campo de formulario vfolder_label en la pantalla de búsqueda IMP. • http://lists.horde.org/archives/announce/2006/000294.html http://secunia.com/advisories/21533 http://securityreason.com/securityalert/1423 http://securitytracker.com/id?1016713 http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=2457 http://www.securityfocus.com/archive/1/443361/100/0/threaded http://www.securityfocus.com/bid/19544 http://www.vupen.com/english/advisories/2006/3316 https://exchange.xforce.ibmcloud.com/vulnerabilities/28409 •